How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...ScyllaDB
Scylla includes multiple features that collectively provide a robust security model. Most recently we announced support for encryption-at-rest in Scylla Enterprise. This enables you to lock-down your data even in multi-tenant and hybrid deployments of Scylla. Join Tzach and Dejan for an overview of security in Scylla and to see how you can approach it holistically using the array of Scylla capabilities. He will review Scylla Security features, from basic to more advanced, including:
Reducing your attack surface
Authorization & Authentication
Role-Based Access Control
Encryption at Transit
Encryption at Rest, in 2019.1.1 and beyond
LDAP authentication is a common requirement for any enterprise software. It gives users consistent login procedures across multiple components of the IT infrastructure, while centralizing the control of access rights. Scylla Enterprise now supports authentication via LDAP. We will look into how to configure Scylla Enterprise for LDAP interaction and how to fine-tune access control through it.
Spark, ou comment traiter des données à la vitesse de l'éclairAlexis Seigneurin
Spark fait partie de la nouvelle génération de frameworks de manipulation de données basés sur Hadoop. L’outil utilise agressivement la mémoire pour offrir des temps de traitement jusqu’à 100 fois plus rapides qu'Hadoop. Dans cette session, nous découvrirons les principes de traitement de données (notamment MapReduce) et les options mises à disposition pour monter un cluster (Zookeper, Mesos…). Nous ferons un point sur les différents modules proposés par le framework, et notamment sur Spark Streaming pour le traitement de données en flux continu.
Présentation jouée chez Ippon le 11 décembre 2014.
TA505: A Study of High End Big Game Hunting in 2020MITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour October 2020
By Brandon Levene, Head of Applied Intelligence Google, @seraphimdomain
Opportunistically targeted ransomware deployments, aka Big Game Hunting (BGH), have caused a distinct disruption in the mechanics of monetizing crimeware compromises. This strategy has become the “end game” for the majority of organized cybercrime organizations, and one effect of this shift is the increased emphasis on enterprise-level targets. In this talk from the MITRE ATT&CKCon Power Hour session on October 9, 2020, Levene walks us through research about how a specific BGH threat actor pursues entry points, gains its foothold, pivots, and deploys payloads to maximize their financial gains with minimal effort - and infrastructure! You’ll walk away with an understanding of the latest BGH TTPs seen in enterprise environments, and how they map to the ATT&CK framework so you can build this research into your threat detection strategy and enhance your defenses.
Building Robust ETL Pipelines with Apache SparkDatabricks
Stable and robust ETL pipelines are a critical component of the data infrastructure of modern enterprises. ETL pipelines ingest data from a variety of sources and must handle incorrect, incomplete or inconsistent records and produce curated, consistent data for consumption by downstream applications. In this talk, we’ll take a deep dive into the technical details of how Apache Spark “reads” data and discuss how Spark 2.2’s flexible APIs; support for a wide variety of datasources; state of art Tungsten execution engine; and the ability to provide diagnostic feedback to users, making it a robust framework for building end-to-end ETL pipelines.
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...Databricks
Effectively leveraging fast networking and storage hardware (e.g., RDMA, NVMe, etc.) in Apache Spark remains challenging. Current ways to integrate the hardware at the operating system level fall short, as the hardware performance advantages are shadowed by higher layer software overheads. This session will show how to integrate RDMA and NVMe hardware in Spark in a way that allows applications to bypass both the operating system and the Java virtual machine during I/O operations. With such an approach, the hardware performance advantages become visible at the application level, and eventually translate into workload runtime improvements. Stuedi will demonstrate how to run various Spark workloads (e.g, SQL, Graph, etc.) effectively on 100Gbit/s networks and NVMe flash.
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...ScyllaDB
Scylla includes multiple features that collectively provide a robust security model. Most recently we announced support for encryption-at-rest in Scylla Enterprise. This enables you to lock-down your data even in multi-tenant and hybrid deployments of Scylla. Join Tzach and Dejan for an overview of security in Scylla and to see how you can approach it holistically using the array of Scylla capabilities. He will review Scylla Security features, from basic to more advanced, including:
Reducing your attack surface
Authorization & Authentication
Role-Based Access Control
Encryption at Transit
Encryption at Rest, in 2019.1.1 and beyond
LDAP authentication is a common requirement for any enterprise software. It gives users consistent login procedures across multiple components of the IT infrastructure, while centralizing the control of access rights. Scylla Enterprise now supports authentication via LDAP. We will look into how to configure Scylla Enterprise for LDAP interaction and how to fine-tune access control through it.
Spark, ou comment traiter des données à la vitesse de l'éclairAlexis Seigneurin
Spark fait partie de la nouvelle génération de frameworks de manipulation de données basés sur Hadoop. L’outil utilise agressivement la mémoire pour offrir des temps de traitement jusqu’à 100 fois plus rapides qu'Hadoop. Dans cette session, nous découvrirons les principes de traitement de données (notamment MapReduce) et les options mises à disposition pour monter un cluster (Zookeper, Mesos…). Nous ferons un point sur les différents modules proposés par le framework, et notamment sur Spark Streaming pour le traitement de données en flux continu.
Présentation jouée chez Ippon le 11 décembre 2014.
TA505: A Study of High End Big Game Hunting in 2020MITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour October 2020
By Brandon Levene, Head of Applied Intelligence Google, @seraphimdomain
Opportunistically targeted ransomware deployments, aka Big Game Hunting (BGH), have caused a distinct disruption in the mechanics of monetizing crimeware compromises. This strategy has become the “end game” for the majority of organized cybercrime organizations, and one effect of this shift is the increased emphasis on enterprise-level targets. In this talk from the MITRE ATT&CKCon Power Hour session on October 9, 2020, Levene walks us through research about how a specific BGH threat actor pursues entry points, gains its foothold, pivots, and deploys payloads to maximize their financial gains with minimal effort - and infrastructure! You’ll walk away with an understanding of the latest BGH TTPs seen in enterprise environments, and how they map to the ATT&CK framework so you can build this research into your threat detection strategy and enhance your defenses.
Building Robust ETL Pipelines with Apache SparkDatabricks
Stable and robust ETL pipelines are a critical component of the data infrastructure of modern enterprises. ETL pipelines ingest data from a variety of sources and must handle incorrect, incomplete or inconsistent records and produce curated, consistent data for consumption by downstream applications. In this talk, we’ll take a deep dive into the technical details of how Apache Spark “reads” data and discuss how Spark 2.2’s flexible APIs; support for a wide variety of datasources; state of art Tungsten execution engine; and the ability to provide diagnostic feedback to users, making it a robust framework for building end-to-end ETL pipelines.
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...Databricks
Effectively leveraging fast networking and storage hardware (e.g., RDMA, NVMe, etc.) in Apache Spark remains challenging. Current ways to integrate the hardware at the operating system level fall short, as the hardware performance advantages are shadowed by higher layer software overheads. This session will show how to integrate RDMA and NVMe hardware in Spark in a way that allows applications to bypass both the operating system and the Java virtual machine during I/O operations. With such an approach, the hardware performance advantages become visible at the application level, and eventually translate into workload runtime improvements. Stuedi will demonstrate how to run various Spark workloads (e.g, SQL, Graph, etc.) effectively on 100Gbit/s networks and NVMe flash.
Understanding InfluxDB’s New Storage EngineInfluxData
Learn more about InfluxDB’s new storage engine! The team developed a cloud-native, real-time, columnar database optimized for time series data. We built it all in Rust and it sits on top of Apache Arrow and DataFusion. We chose Apache Parquet as the persistent format, which is an open source columnar data file format. This new storage engine provides InfluxDB Cloud users with new functionality, including the removal of cardinality limits, so developers can bring in massive amounts of time series data at scale.
In this webinar, Anais Dotis-Georgiou will dive into:
Requirements for rebuilding InfluxDB’s core
Key product features and timeline
How Apache Arrow’s ecosystem is used to meet those requirements
Stick around for a demo and live Q&A
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
Join Infocyte co-founder and Chief Product Officer, Chris Gerritz, for a two-hour digital forensics and incident response (DFIR) training session.
During this presentation, Chris shows participants how to set up Infocyte's managed detection and response (MDR) platform and how to leverage Infocyte to detect, investigate, isolate, and eliminate sophisticated cyber threats. Additionally, Infocyte helps enterprise cyber security teams eliminate hidden IT risks, improve security hygiene, maintain compliance, and streamline security operations—including improving the capabilities of existing endpoint security tools.
Using Infocyte's new extensions, participants are encouraged to custom create their own collection (detection and analysis) and action (incident response) extensions.
This slide deck is used as an introduction to the internals of Apache Spark, as part of the Distributed Systems and Cloud Computing course I hold at Eurecom.
Course website:
http://michiard.github.io/DISC-CLOUD-COURSE/
Sources available here:
https://github.com/michiard/DISC-CLOUD-COURSE
OSINT is becoming a necessity and the market is growing. OSINT tools, Webint and Social Media Monitoring Automation allows analysts to cope with various sources and provide near real-time analyses. An increasing amount of personal data, corporate content, and government databases are now open and accessible to intelligence organizations around the world, leading to a rise in OSINT investments and, by extension, OSINT, WEBINT or SOCMINT budgets. One of the fastest-growing verticals is Open-Source Intelligence monitoring for cyber intelligence, in the realm of Threat Intelligence.
Someone deployed their application as a Docker container. Then another someone came along and hacked it. Then everyone starts looking at you asking, "How did this happen?"
This talk goes into how to extract the forensics artifacts of a Docker container, both if it was still running on a live system (easy) and if you must start from a cold disk image (harder).
A cheatsheet of the high points of this talk is also available here: https://www.didactic-security.com/resources/docker-forensics-cheatsheet.pdf
The video of this presentation at BSides RDU 2018 is online here: https://youtu.be/esj_NoTsywU?t=3667
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
Every admin tool is an attack tool, yet there are no good or bad shells - that part is up to you. Coming from dozens of engagements consulting various role-based remote operations architectures & Red Team assessments for organizations in 4 continents, with a fresh research hijacking full tokens from network logon-type sessions - we’ll dive into a technical, hands-on set of examples for both Offensive and Defensive teams, of what SUCKS and what ROCKS on the Windows ‘Living off the land’ remote admin operations, Protocols, and APIs. We'll talk about the Pros and Cons of jump server architectures, as well as role-based shells, limiting PowerShell in creative ways. We'll also introduce fresh research to achieve Full Token hijack from network logon-type sessions, without any hash and/or TGT!
Understanding InfluxDB’s New Storage EngineInfluxData
Learn more about InfluxDB’s new storage engine! The team developed a cloud-native, real-time, columnar database optimized for time series data. We built it all in Rust and it sits on top of Apache Arrow and DataFusion. We chose Apache Parquet as the persistent format, which is an open source columnar data file format. This new storage engine provides InfluxDB Cloud users with new functionality, including the removal of cardinality limits, so developers can bring in massive amounts of time series data at scale.
In this webinar, Anais Dotis-Georgiou will dive into:
Requirements for rebuilding InfluxDB’s core
Key product features and timeline
How Apache Arrow’s ecosystem is used to meet those requirements
Stick around for a demo and live Q&A
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
Join Infocyte co-founder and Chief Product Officer, Chris Gerritz, for a two-hour digital forensics and incident response (DFIR) training session.
During this presentation, Chris shows participants how to set up Infocyte's managed detection and response (MDR) platform and how to leverage Infocyte to detect, investigate, isolate, and eliminate sophisticated cyber threats. Additionally, Infocyte helps enterprise cyber security teams eliminate hidden IT risks, improve security hygiene, maintain compliance, and streamline security operations—including improving the capabilities of existing endpoint security tools.
Using Infocyte's new extensions, participants are encouraged to custom create their own collection (detection and analysis) and action (incident response) extensions.
This slide deck is used as an introduction to the internals of Apache Spark, as part of the Distributed Systems and Cloud Computing course I hold at Eurecom.
Course website:
http://michiard.github.io/DISC-CLOUD-COURSE/
Sources available here:
https://github.com/michiard/DISC-CLOUD-COURSE
OSINT is becoming a necessity and the market is growing. OSINT tools, Webint and Social Media Monitoring Automation allows analysts to cope with various sources and provide near real-time analyses. An increasing amount of personal data, corporate content, and government databases are now open and accessible to intelligence organizations around the world, leading to a rise in OSINT investments and, by extension, OSINT, WEBINT or SOCMINT budgets. One of the fastest-growing verticals is Open-Source Intelligence monitoring for cyber intelligence, in the realm of Threat Intelligence.
Someone deployed their application as a Docker container. Then another someone came along and hacked it. Then everyone starts looking at you asking, "How did this happen?"
This talk goes into how to extract the forensics artifacts of a Docker container, both if it was still running on a live system (easy) and if you must start from a cold disk image (harder).
A cheatsheet of the high points of this talk is also available here: https://www.didactic-security.com/resources/docker-forensics-cheatsheet.pdf
The video of this presentation at BSides RDU 2018 is online here: https://youtu.be/esj_NoTsywU?t=3667
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
Every admin tool is an attack tool, yet there are no good or bad shells - that part is up to you. Coming from dozens of engagements consulting various role-based remote operations architectures & Red Team assessments for organizations in 4 continents, with a fresh research hijacking full tokens from network logon-type sessions - we’ll dive into a technical, hands-on set of examples for both Offensive and Defensive teams, of what SUCKS and what ROCKS on the Windows ‘Living off the land’ remote admin operations, Protocols, and APIs. We'll talk about the Pros and Cons of jump server architectures, as well as role-based shells, limiting PowerShell in creative ways. We'll also introduce fresh research to achieve Full Token hijack from network logon-type sessions, without any hash and/or TGT!
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
Los procedimientos relacionados con Respuesta a Incidentes y Análisis Forense son diferentes en la nube respecto a cuando se realizan en entornos tradicionales, locales. Veremos las diferencias entre el análisis forense digital tradicional y el relacionado con sistemas en la nube de AWS, Azure o Google Compute Platform. Cuando se trata de la nube y nos movemos en un entorno totalmente virtual nos enfrentamos a desafíos que son diferentes al mundo tradicional. Lo que antes era hardware, ahora es software. Con los proveedores de infraestructura en la nube trabajamos con APIs, creamos, eliminamos o modificamos cualquier recurso con una llamada a su API. Disponemos de balanceadores, servidores, routers, firewalls, bases de datos, WAFs, sistemas de cifrado y muchos recursos más a sin abrir una caja y sin tocar un cable. A golpe de comando. Es lo que conocemos como Infraestructura como código. Si lo puedes programar, lo puedes automatizar. ¿Como podemos aprovecharnos de ello desde el punto de vista de la respuesta a incidentes, análisis forense o incluso hardening automatizado?
Security in IaaS, attacks, hardening, incident response, forensics and all about its automation. Despite I will talk about general concept related to AWS, Azure and GCP, I will show specific demos and threats in AWS and I will go in detail with some caveats and hazards in AWS.
Andrew Brandt, Symantec
Back in 2014 and 2015, the Dyre (sometimes called Dyreza) Trojan was a distinctive crimeware tool for the simple reason that it appeared to employ, and experiment with, a whole range of sophisticated tactics, techniques and procedures: It was the first Trojan which exclusively employed HTTPS for its C2 traffic; It operated on a modular basis with a small cadre of other malware families, such as the Upatre downloader, which seemed to support it exclusively, as well as email address scraping tools and spam mail relayers; and it was at least as interested in profiling the environment it had infected as it was in exfiltrating any data it could find on the victim's machine. Then it disappeared suddenly, but re-emerged this year in the form of a Trojan now called Trickbot (aka Trickybot), completely rewritten but with many of the same features. In the lab, we permit Trickbot samples to persist on infected machines for days to weeks in order to perform man-in-the-middle SSL decryption on their C2 traffic. In this session, attendees will get a detailed forensic analysis of the content of some of this C2 traffic and the endpoint behavior of various machines (virtual and bare-metal) when left infected for an extended period of time. Finally, we will share what we know about the botnet's C2 infrastructure and its historical reputation. By understanding how Trickbot functions, and to where it communicates, we hope we can help identify infections more rapidly and, maybe, interpret the motives of whoever is operating this shadowy botnet to predict its next course of action.
Slide deck for the Secruity Weekly session on Oct 25th 2018. Code is up on www.github/YossiSassi. Special thanks to Eyal Neemany & Omer Yair who helped prep this talk.
In this PowerPoint, learn how a security policy can be your first line of defense. Servers running AIX and other operating systems are frequent targets of cyberattacks, according to the Data Breach Investigations Report. From DoS attacks to malware, attackers have a variety of strategies at their disposal. Having a security policy in place makes it easier to ensure you have appropriate controls in place to protect mission-critical data.
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSCody Thomas
Kerberos on macOS with and without Active Directory (AD). Where are attacks possible in Kerberos and how does the LKDC (Local Key Distribution Center) come into play.
Presented at Objective By The Sea (OBTS) 3.0 in Maui, Hawaii March 2020
Does your organization want to start Threat Hunting, but you’re not sure how to begin? Most people start with collecting ALL THE DATA, but data means nothing if you’re not able to analyze it properly. This talk focuses on the often overlooked first step of hunt hypothesis generation which can help guide targeted collection and analysis of forensic artifacts. We will demonstrate how to use the MITRE ATTACK Framework and our five-phase Hypothesis Generation Process to develop actionable hunt processes, narrowing the scope of your Hunt operation and avoiding “analysis paralysis.” We will then walk through a case study of Golden Ticket detection from concept to technical execution by way of the Hypothesis Generation Process. Along the way, we will detail some of the most common Golden Ticket indicators and will release a new PowerShell script for extracting Kerberos ticket information without any dependencies on external binaries.
Real time monitoring-alerting: storing 2Tb of logs a day in ElasticsearchAli Kheyrollahi
Building any average complex system in the cloud requires telemetry to be the number one concern: you would probably even start with planning and building it first (or perhaps you wish you had!). As quoted by Werner Vogels “Netflix is a log generating application, that happens to stream video quote” - Logging/Monitoring/Alerting has been central to the success of Netflix.
In ASOS, we currently generate more than 1TB of logs daily that gets stored and analysed in our Elasticsearch cluster for monitoring and alerting purposes. ELK stack (Elasticsearch, Logstash and Kibana) has been a very popular tool for logging and monitoring but tuning ELasticsearch for handling such a load is an art form in itself.
In this talk, we start with an overview of ELK stack (we in ASOS use CoveyorBelt instead of logstash so ECK for us) and then move to sharing what we have learned from trying to scale our Elasticsearch for this load: from tuning various configuration parameters to planning your shards and mapping strategy, this talk has quite a bit to equip you to build or tune an ELK stack in your own company.
This presentation was given to the Dublin Node (JS) Community on May 29th 2014.
Presented by: Chris Lawless, Kevin Yu Wei Xia, Fergal Carroll @phergalkarl, Ciarán Ó hUallacháin, and Aman Kohli @akohli
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
2. WhoAmI
• InfoSec Researcher; H@כk3r (1nTh35h311)
• Red mind, Blue heart
• Co-Founder @
• Consulting in 4 continents (Banks/gov/F100)
• 30+ years of keyboard access – Code, IT Sec, Net Comms.
• ~25 years of AD expertise; Ex-Javelin Networks (Acquired by Symantec)
• Ex-Technology Group Manager @ Microsoft (Coded Windows Server Tools)
• Aviator; Volunteer (Youth at risk); Oriental Rock Bouzoukitarist
3. ChatGPT was Not used in the making of this
presentation, code & content
6. • ‘Hacktive Directory’ 101
• Sources of “Truth” in AD
• A set of tools for Pre, During and Post AD Breach
• Attributes of interest: Blue Team tips
What we’ll talk about
8. Why hack AD? Why is AD so ‘Hackable’?
• a bit like what happened with TCP/IP…
– Great success, super popular
– …Yet architecture & design goals very far from modern
landscape and threats
• Involved in every huge breach (as well as smaller ones ☺)
– Lion (2020), NTT (2020), Baltimore (2019), Norsk Hydro (2019), Singhealth
(2018), MAERSK (2017), SONY (2014), Target (2013), many others..
• “The Microsoft Mainframe” – It’s not going away!
• Compromising your AD means GAME OVER.
9.
10. Windows/AD 101
• AuthN protocols (NTLM, Kerberos, LDAP/S)
and “Secrets” (Hashes/ntlm, Tickets, caching, certificates…)
• Logon vs. Authentication (Local vs. Domain, logon types…)
• Security Principals (Users, Computers, Groups)
• Authorization / ACLs – going beyond group membership(s)
• e.g. direct SID assignment, ObjectAccess types etc
• Process, Threads, handles, access tokens, logon sessions etc’
15. 15
Protocol and Port AD and AD DS Usage Type of traffic
TCP 25 Replication SMTP
TCP 42 If using WINS in a domain trust scenario offering NetBIOS resolution WINS
TCP 135 Replication RPC, EPM
TCP 137 NetBIOS Name resolution NetBIOS Name resolution
TCP 139 User and Computer Authentication, Replication
DFSN, NetBIOS Session Service,
NetLogon
TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP
TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL
TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC
TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL
TCP and UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos
TCP and UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS
TCP and UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts
SMBv1/2/3, CIFS, DFSN, LSARPC,
NbtSS, NetLogonR, SamR, SrvSvc
TCP 9389 AD DS Web Services SOAP
TCP 5722 File Replication RPC, DFSR (SYSVOL)
TCP and UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password
UDP 123 Windows Time, Trusts Windows Time
UDP 137 User and Computer Authentication
NetLogon, NetBIOS Name
Resolution
UDP 138 DFS, Group Policy, NetBIOS Netlogon, Browsing
DFSN, NetLogon, NetBIOS
Datagram Service
UDP 67 and UDP 2535
DHCP (Note: DHCP is not a core AD DS service, but these ports may be
necessary for other functions besides DHCP, such as WDS)
DHCP, MADCAP, PXE
TCP & UDP 1024-5000;
49152-65535
Ongoing (RPC etc’) RPC / DCOM / WMI...
TCP 593 DCOM/Messaging/Exchange RPC over HTTP
16. “Confusing” architectural recommendations
• 90’s (The NT4 days): The more Domains – the better!
• NT4 to NT5 -> Your opportunity to Consolidate domains!
• Domain is NOT a security boundary! –> Separate into Forests,
with trusts.
• Trusts are bad as well (one/bi-directional, FPs, SidFiltering,
sidHistory…)
• ESAE, aka “Red Forest” (Costly! & doesn’t play well with cloud) *
• Admin Tier Model
• Forget the costly & complex ‘Red Forest’ -> Privileged Access
* Still useful for isolated environments, e.g., offline R&D or disconnected OT/Scada environments
18. • Sysvol/Files vs. ETW/Event Logs vs. pcap/”hooks”
• Possible Scenarios –
– No logs (Not collected/Not enough retention/Wiped by ransom)
– No Online DCs (encrypted/offline VMs -> Just backups…)
• Still, we want to know who did what & when
• NTDS.dit
• replPropertyMetadata
HacKtive Directory: Sources of “Truth”
26. Get-LDAPperformance
Identifying Unusual and/or Large LDAP Queries
• Collects LDAP Query Performance Events and analyzes them
to CSV & Grid (relays on event ID 1644)
• Helps in identifying large or unusual LDAP queries, either for
Threat Hunting or IT optimization
• No Dependencies, No modules required. Requires ‘Event Log
Readers’ permission or equivalent (to 'directory Services' log)
• Some pre-requisites needed from AD side, enable relevant
auditing and set registry key
31. Golden Ticket = Game Over
•krbtgt password hash compromise ->
Privileged Persistence via Offline TGT forging
•Krbtgt hash can be obtained in several ways:
• Unauthorized AD Replication (DCSync/DCShadow)
• Copy of AD Database or Backup (NTDS.dit + system registry)
• Stolen from lsass/DC Memory (any RW DC, Not RODC)
•Attack can occur in multiple ways & tools (e.g. mimikatz,
with AES 256-bit hash, for 10 hours only etc’)
32. Invoke-PostKrbtgtResetMonitor
• Centralized detection of Golden Tickets via anomalous
kerberos tickets detection AFTER resetting the krbtgt
password TWICE
• No Dependencies/modules. Requires ‘Event Log Readers’
or equivalent
34. GoldFinger
• Collects, Analyzes & Hunts for Suspicious TGTs
• Detects suspicious TGTs on domain EndPoints in real-time
• Potential Pass-The-Hash
• Potential Golden ticket
• No agent – works with WinRM or SMB (PaExec)
• No dependencies, no external modules (just .ps1)
• Research done to handle multiple anomalies
• Logon Session User != Ticket Client Name <Strong indication>, Ticket Lifetime != Expected Lifetime
<Default 10 hours>, Ticket Renewal Length != Expected Renewal Length <Default 7 days>, KDC called is
empty, and DNSHostName is different than the current computer name, Encryption Type !=
aes256_cts_hmac_sha1_96 <rc4 is common for inter-forest/domain tickets>, Endcoded Ticket Size,
Session Logon Type is CachedInterative <potential to some False Positive>, etc’
35. GoldFinger (Cont.)
•Requires Local Admin permissions on EndPoints
•Supports running against different domains
•Supports running on entire domain (default), or just a
specific computer(s), or Exclude specific computer(s)
•Can optionally enable PSRemoting (and try to start WinRM
on EndPoints)
•Fixes clock skew issues, while at it
•.. And more ☺
• Collector script heavily based on work by Jared Atkinson
(@jaredcatkinson) & Matthew Graeber (@mattifestation)
39. Invoke-TgsMonitor
• Monitor TGS requests (All, or just Failed ones, with Error Code
reasons)
• Useful during a live IR without other central threat hunting log
solution, or in general, to monitor access & failure reasons
• No Dependencies, no modules
• Can also generate a 'real-time monitor' with a table containing
the TGS events for a specific user or computer, or status/category:
while ($true) {$x=cat .TGSMonitor.csv | ConvertFrom-Csv;
cls;$x| ? account -like "*yossis*" | ft -AutoSize; sleep 1}
45. “Small step for IT, Giant step against Lateral Movement”
• No EDR
• No segmentation
• No firwewalls config
• No MFA
• All the misconfigurations you can think of …
• No proper auditing/SIEM/SOC
… and yet ☺
47. TimeLineGenerator
• AD account timeline generator - parse DC security logs &
export activity timeline
• Can run directly on Domain Controllers (Live, through
WinRM), OR - specify Path to Evtx files
• Can run a Full/Longer report, or a Focused/Quicker one, with a
select set of events to filter. Default: "Focused-Quicker"
• Can set the Max Events to fetch Per DC (limit to the last X
events from the log, for performance). Default: gets all events
51. Key Takeaways
• ‘Hacktive Directory’ is here to stay! In-depth knowledge is key
• Invest in a “living off the land” mindset – a simple configuration
can go further than few expensive vendor products ☺
• Understand the Sources of “Truth" in AD
• ‘Hacktive Directory’ forensics are a part of a wider picture
– Event correlation & Threat hunting with high-fidelity alerts
• Practice a Before, During & After approach
• Check out hacktivedirectory.com or github.com/YossiSassi for
code & scripts - Comments and improvements are welcome!